Re: [TLS] key sizes in TLS.
"Dang, Quynh" <quynh.dang@nist.gov> Tue, 11 June 2013 15:17 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A5E321F99CE for <tls@ietfa.amsl.com>; Tue, 11 Jun 2013 08:17:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EORr+WbdpPTs for <tls@ietfa.amsl.com>; Tue, 11 Jun 2013 08:17:21 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 8796F21F99C6 for <tls@ietf.org>; Tue, 11 Jun 2013 08:17:21 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 11 Jun 2013 11:17:04 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Tue, 11 Jun 2013 11:17:20 -0400
From: "Dang, Quynh" <quynh.dang@nist.gov>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Tue, 11 Jun 2013 11:17:16 -0400
Thread-Topic: [TLS] key sizes in TLS.
Thread-Index: Ac5mtsOKc7XGmyEJSt6sCg97y5Q04w==
Message-ID: <CDDCAD80.2EBE7%qdang@nist.gov>
In-Reply-To: <CAJU7zaKJ6yHEdwuHKqDBF00yPpZwg=PzjuXz+A=m4f1ts-aYng@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] key sizes in TLS.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 15:17:26 -0000
For example, proposed ciphersuites in http://tools.ietf.org/html/draft-mcgrew-tls-aes-ccm-ecc-06, it has requirements for client certificate, see the paragraph below. "The server's certificate MUST contain an ECDSA-capable public key, it MUST be signed with ECDSA, and it MUST use SHA-256, SHA-384, or SHA-512. The Signature Algorithms extension (Section 7.4.1.4.1 of [RFC5246] <http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1>) MUST be used to indicate support of those signature and hash algorithms. If a client certificate is used, the same conditions apply to it. The acceptable choices of hashes and curves that can be used with each ciphersuite are detailed in Section 2.2". However, in many other ciphersuites' specifications, there is no requirement about what key size(s) (curve(s)) (in ECDSA) to sign the client certificate. Regards, Quynh. On 6/11/13 6:12 AM, "Nikos Mavrogiannopoulos" <nmav@gnutls.org> wrote: >On Mon, Jun 10, 2013 at 4:08 PM, Dang, Quynh <quynh.dang@nist.gov> wrote: > >> I don¹t know if it would make sense to specify (1) a method for which >>the >> client can use to let the server know what key size(s) (DSS or RSA and >>DH) >> are acceptable and (2) a method for which the server can let the client >>know >> what key size(s) is/are acceptable to the server for the client's >> authentication. > >You are correct. That is an omission from the DHE key exchange in TLS. >At least in gnutls it caused several connection failure issues once we >required a DH group of more than 768 bits in the client. > >Overall my impression is that the DHE-based ciphersuites are pretty >much neglected. There are also optimizations that could be done (e.g., >the server specifying the size of the generator's subgroup), but >no-one ever bothered to update the protocol. > >> Even with some (or proposed) ECC-based cipher suites, there is similar >>issue >> about key sizes for client¹s authentication. > >Which ones do you mean? The ECC-based ciphersuites (with named >curves) have the size of the curve hard-coded so I have noticed no >such issues there. In that aspect they are better than their DH >counterparts. If you mean the ECC ciphersuites with explicit curves I >think you should reconsider their usage [0]. > >regards, >Nikos > >[0]. >https://www.cosic.esat.kuleuven.be/publications/private/article-2216.pdf
- [TLS] key sizes in TLS. Dang, Quynh
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Dang, Quynh
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Peter Gutmann
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos